2. MPLS is the new ATM / Frame Relay
— The similarity between ATM and Frame-
Relay is that at each hop throughout the
network, the 'label' value in the header is
changed.
— MPLS labels are used to forward IP packets
without looking at IP (Destination field)!
— MPLS can forward IP, IPv6, Ethernet, HDLC,
PPP and other L2 technologies.
— Forwarding decision for an IP packet could
take some time (in the past, not now!)
3. MPLS Forwarding
— Forwarding decision is Label based.
— You need to have a forwarding table
consisting of incoming labels to be
swapped by outgoing labels and a next
hop.
— Traffic Engineering = Source-based
Forwarding
— Traffic Engineering was first called Routing
with Resource Reservation (R3 - RRR)
5. BGP-Free Core
— The Label tells every router to which
egress it must be forwarded
— BGP is no longer required at Core.
— Decision is made at the Edge. (PE)
— Core just forwards data based on the
Label value to the next hop (Edge
Decision)
6. VPN Models
— OverlayVPN Model
◦ No routing-protocol peering occurs between a
customer and service provider router.
◦ Point-to-Point
— Peer-to-PeerVPN Model
◦ Service provider router (PE) peers directly with
customer router (CE) at Layer3
◦ MPLSVPN =VRF labeled packets
◦ no hassle with creating manyVCs or route filters
7. MPLS Label
— MPLS Label = 32 bits
◦ 20 bit Label
— MPLS Stack has no limit. (n x Labels)
— MPLS is not a L2 protocol
— L2 encapsulation is still present before the
labeled packets.
— Call it layer 2.5!!
9. Label Stack
— Top label and bottom label on a stack:
Label EXP TTL0
Label EXP TTL0
Label EXP TTL1
…
10. Label Stack (cont.)
— Some MPLS applications like MPLSVPNs
require more than one label in the label
stack to forward the packets.
◦ Example: MPLSVPNs puts two labels in the
label stack.
Label 0 Label 1 IPv4PPP
11. L2 Protocol Identifier
— Data Link Layer Protocol Identifier, identifies
MPLS in the encapsulated frame:
— ATM uses a different method for encapsulating the
MPLS Label.
13. LSP
— LSP = Label Switched Path
— is unidirectional path through MPLS
network.
— Might be a nested LSP.
— Router is LSR while the Path is LSP.
14. FEC
— FEC (Forwarding Equivalence Class) is
flow of packets that are treated with
same forwarding treatment. (Same FEC,
Same Label)
— Packets with Same label might be from
different FEC (different EXP)
— Ingress LSR, decides the FEC.
15. Label Assignment
— Label has no global meaning.
— LSR creates a Label for every IGP prefix
in the routing table and sends to neighbor.
— Neighbors store remote and local
bindings in LIB. (Label / Prefix)
— Adjacent LSRs agree on which label to
use for each IGP prefix. (In / Out)
16. Label Distribution
— No IGP has been changed to deploy label
distribution.
— BGP has done that. (Label Distribution via
MP-BGP capability for MPLSVPNs)
— Label distribution protocol is needed.
17. Label Distribution Protocols
— Tag Distribution Protocol (TDP)
— Label Distribution Protocol (LDP)
— Resource Reservation Protocol (RSVP)
◦ MPLS TE only.
◦ ISIS and OSPF have TE capability.
— MP-BGP - MPLSVPN
18. Label Space
— Per-platform
— Per-interface (one local binding per prefix
per interface)
◦ packet is not forwarded based on incoming
label but incoming label + incoming interface!
◦ LC-ATM (Label switching Controlled-ATM)
interfaces use this labeling scheme.
19. Label Distribution Modes
— Unsolicited Downstream (UD)
◦ Push labels to adjacent LSRs, no need of their
request (Cisco interfaces Default)
— Downstream-on-Demand (DoD)
◦ LC-ATM interfaces
20. Label Retention Modes
— LLR - Liberal Label Retention
◦ keeps all received bindings in the LIB
◦ only uses one of them for LFIB
◦ faster convergence
◦ Cisco default
— CLR - Conservative Label Retention
◦ does not keep all received bindings
◦ LC-ATM interfaces default
21. Label Control Modes
— Independent LSP Control mode
◦ LSR creates local binding as soon as recognizes
the FEC.
◦ Cisco Default
— Ordered LSP Control mode (ATM switches)
◦ LSR only creates a local binding if it has received
a label binding from next-hop, or it is the Egress
LSR for the FEC.
◦ waits for LSP set up end to end.
22. MPLS Protocol Field
— MPLS has no Network-Level-Protocol-ID
field which all L2 protocols have.
— Intermediate LSRs do not need to know
what MPLS payload is, but an Egress LSR
must know.
— Egress LSR knows the payload because it
is the LSR that created label binding for
that FEC at the first place.
23. Label Operations
— Pop
◦ Pops/removes one label
— Swap
◦ Changes the top label with another label
— Push
◦ adds one or more labels (swapping might happen
before adding)
— Untagged/No Label
◦ forwards without a label.
— Aggregate
◦ Label stack is removed and ip lookup is required.
(inside vrf)
24. Reserved Labels
— 0 Explicit Null
◦ to pertain the QOS information
— 1 Router Alert
— 3 Implicit Null
◦ Signals for PHP (penultimate hop popping)
— 14 OAM Alert
25. Reserved Labels (cont.)
— 1 Router Alert
◦ Packet will not be forwarded in hardware.
Software look up must happen.
— 14 OAM Alert
◦ Reserved label for OAM operation.
◦ Cisco does not use this label for OAM.
26. Reserved Labels (cont.)
— 3 Implicit Null
◦ Signals for PHP (penultimate hop popping)
egress LSR assigns this to the connected and
summarized prefixes.
◦ Signals the penultimate LSR to send packets
without the top label (not the whole label
stack only one)
27. Reserved Labels (cont.)
— 0 Explicit Null
◦ When label is removed, EXP bits are also
removed, use Label 0 to pertain the QOS
information.
28. Unreserved Labels
— Label value is 20 bits: 16 to 1,048,575
— Cisco drops the unknown labeled packets
and does not perform the ip lookup
process.
— Cisco default range: 16 to 100,000
(config)# mpls label range 16 200000
# show mpls label range
29. Label TTL
— TTL is propagated from IP header to MPLS and
vice versa. (decremented by 1)
— IOS does not copy MPLS TTL if is greater than IP
TTL.
— TTL of top label is changed by intermediate LSRs.
— If LSR receives TTL = 1 then
◦ sends ICMP time exceeded (type 11, code 0) to the
originator.
◦ Once that TTL is expired, Label is not removed but
sent along LSP till reaches to originator. LSRs have no
idea how to reach to IP (only egress knows)
30. MPLS MTU
— Increasing the Maximum Transmission
Unit is important because MPLS adds
extra header to packets.
— MRU (Max Receive Unit) is kept in LFIB
for each FEC to keep track of packet size
– to see if fragmentation is required.
— in some IOS versions, you cannot
configure mpls mtu to be bigger than
interface mtu!
31. MPLS MTU (cont.)
(config-‐if)#
mpls
mtu
1508
#
show
mpls
interface
f0/0
detail
switch(config)#
system
jumbomtu
x
(default=9216)
switch(config)#
system
mtu
x
(1500
-‐
2000)
s-‐msfc(config-‐vlan-‐if)#
mtu
x
(64
-‐
9216)
32. CEF
— Cisco Express Forwarding is mandatory
for Cisco to enable MPLS.
— CEF switching is the only switching mode
that you can use to label packets (in IOS)
33. CEF (cont.)
#
show
adjacency
detail
#
show
mpls
forwarding-‐table
[prefix
+
detail]
detail
keyword
shows
all
changes
in
the
label
stack.
#
debug
mpls
packet
old
format:
label(s)=1/21
:top/second
label
new
format:
stack
{1
6
255}
:{Label
EXP
TTL}
— To check L2 information and outgoing
interface:
34. CEF (cont.)
— If an IP and a labeled path have same cost,
only the labled path is used to forward
packets.
(config-if)# ip route-cache cef
to disable and enable cef at interface level.
# clear adjacency
# debug ip cef drops
35. TDP vs. LDP
— TDP (Tag Distribution Protocol)
◦ Older than LDP
◦ Cisco Proprietary
◦ uses UDP Broadcast 711 and TCP:711
— LDP (Label Distribution Protocol)
◦ uses UDP Multicast 646 and TCP:646
37. LDP Basic Configuration
(config)#
mpls
label
protocol
ldp
(config)#
mpls
ip
|
tag-‐switching
ip
(config-‐if)#
mpls
ip
(config-‐if)#
tag-‐switching
ip
(config-‐if)#
mpls
ldp
discovery
hello
holdtime
(default
5/15s)
must
match
with
neighbor
#
show
mpls
ldp
discovery
[detail]
#
show
mpls
interfaces
38. LDP ID
— LDP Identifier is 6-bytes
◦ 4byte LDP Router-ID) + 2byte Label space ID
◦ per-platform label ID = 0
◦ per-interface label ID = non-zero
— The highest loopback IP is chosen.
— mpls ldp router ID has to be reachable.
◦ force keyword makes LDP ID to change
immediately after issuing the command!
(config)# mpls ldp router-id interface [force]
39. LDP Timers
— If LDP is not successful, it retries at a throttled rate
◦ (config)# mpls ldp backoff (15 sec) max (120 sec)
— LDP Session Hold Time
◦ (config)# mpls ldp holdtime
◦ Default 180 sec for session keepalives, not related to ldp
discovery holdtime)
(config-if)# mpls ldp discovery hello holdtime | interval
(default 5/15s) must match with neighbor
# show mpls ldp discovery [detail]
# show mpls interfaces
40. LDP Transport Address
— To use an address instead of RID for session
establishment.
(config-if)# mpls ldp discovery transport-address
— When router has multiple parallel links, same
transport address must be advertised on all
links for same label space.
— Single LDP session between neighbors is
enough to do the job. (for LC-ATM one
session per interface label space)
41. LDP Characteristics
— LDP Split horizon does not exist!
— LDP LSR assigns labels to all prefixes and
sends to neighbors. Even to the neighbor
which owns that specific prefix.
— LDP has label withdraw capability.
42. Targeted LDP
— Targeted LDP is when neighbors are not
directly connected.
— It has better stability over dynamic
neighbor ship, because session won’t
disrupt by flaps.
(config)# mpls ldp neighbor address targeted ldp |
tdp
(config)# mpls ldp discovery targeted-hello interval
(config)# mpls ldp discovery targeted-hello accept
from acl
44. LDP Filtering
— Outbound Filtering
◦ LDP has control over advertised Labels
◦ To disable automatic label advert:
(config)# no mpls ldp advertise-labels
(config)# mpls ldp advertise-labels for prefixacl to peeracl
# show mpls ldp bindings acl
— Inbound Filtering (per neighbor)
◦ LDP has control over received labels
(config)# mpls ldp neighbor x labels accept prefix-acl
45. LDP IGP Auto Configuration
— LDP can work with OSPF to simplify
configuration tasks.
— Sets all interfaces for an area with LDP
instead of "mpls ip" in each interface.
(config-router)# mpls ldp autoconfig area 0
(config-if)# no mpls ldp igp autoconfig
46. LDP-IGP Synchronization
— Ensures the links are not used to forward
unlabeled traffic (when LDP session is down)
◦ It moves the forwarding path toward the LDP
enabled ones.
— OSPF adjusts metric for traffic diversion.
◦ OSPF is the only IGP supports LDP-IGP sync feature.
◦ OSPF waits for LDP to synchronize then makes the
adjacency with neighbor.
(config-router)# mpls ldp sync
(config-router)# mpls ldp sync holddown 30000
to prevent ospf waiting forever
47. LDP Session Protection
— Makes a targeted LDP between neighbors
to protect session from link flaps and re-
initiations.
— It has to be configured on both the LSRs.
(config)# mpls ldp session protection for peer-acl duration
seconds
48. LDP Graceful Restart
— LDP has graceful restart feature to inform
neighbors before going down.
— to preserve MPLS forwarding state when
LDP session goes down, and continue
without interruption.
49. ATM MPLS
— There are several standards to carry IP
over ATM:
◦ RFC 1483 Encapsulation
◦ Lane Emulation (LANE)
◦ Multiprotocol over ATM (MPOA)
◦ MPLS
50. ATM MPLS
— ITU-T specified a layer between ATM layer
and upper layer called AAL and has five
categories.
— AAL5 is used for IP and LANE.
— BothVPI (8 bit) andVCI (16 bit) are used
together to identify next destination of ATM
cell.
— MPLS label value must be mapped toVPI/VCI
on ATM switches (ATM Switch/LSR)
— Only the top Label is required to be
mapped.
51. TaggedVC
— VC =Virtual Circuit
— TVC = TaggedVC or LVC = “Label
switchedVC” is theVC that is used by
MPLS.
— ATM switches need to run an IP routing
protocol and a label distribution protocol.
— IGP and LDP require a controlVC to run
on top of it.
52. ControlVC
— Cisco IOS defaultVC = 0/32
— Encapsulation must be LLC/SNAP.
atm-switch(config-if)# mpls atm control-vc 0 1000
vpi/vci modification for control VC - default 0/32
atm-switch(config-if)# mpls atm vpi x vci-range low – high
Default VPI used for MPLS = 1
# show atm vc interface atm2/0/0
# show mpls interface detail
(config)# interface atm1/0/0.10 mpls
Indicates that interface is an LC-ATM subinterface
(config-if)# mpls ip
54. MPLSVPN Intro.
— P routers do not need to know
customers routing table or BGP table!
◦ "BGP-Free Core"
— P routers only switch the outer tag/label.
— MPLSVPN uses at least two labels.
— PE routers put customers inVRF
◦ IGP inside theVRF with the customer.
◦ RedistributingVRF IGP into MP-iBGP to
inform other PE(s).
55. VRF
— Virtual Routing Forwarding is a
combination ofVRF routing table +VRF
CEF + IP routing protocols on PE routers.
— a PE router has aVRF instance for each
attachedVPN.
— Each interface on the PE router can
belong to only oneVRF.
(config)# ip vrf vrfx
(config-if)# ip vrf forwarding vrfx
56. Route Distinguisher
— RD is a 64 bit unique prefix identifier is
added to IPv4 prefixes to be called vpnv4
prefixes for MP-BGP. (96 bits long)
— RD can have two formats:
◦ asn:nn
◦ ip-address:nn
◦ For example vpnv4 prefix 1:1:10.1.1.1/24
— RD might not beVPN identifier, some
complexVPNs use more than one RD per
VPN.
(config-vrf)# rd 1:1
57. Route Target
— The communication between differentVPN
sites is not controlled by RD, but with
another MPLS feature called RT.
— RT is a BGP extended community (Optional
Transitive) to import and export between
MP-BGP andVRF.
— RT attaches to vpnv4 routes. (as a
community) and more than one RT might be
used.
(config-vrf)# route-target {import | export | both } rt
58. BGP Address Family
— Address Family ID (AFI)
◦ 1 IPv4
◦ 2 IPv6
◦ 11 IPX
◦ 12 AppleTalk
— Subsequent Address Family ID (SAFI)
◦ 1 NLRI Unicast
◦ 2 NLRI Multicast
◦ 3 NLRI Both
◦ 4 NLRI IPv4 + Label
◦ 128 NLRI - LabeledVPN Forwarding
– to Send Label along with vpnv4 prefix
59. BGP vpnv4
— a BGP speaker only assign a label to a
prefix for which [he] is the next hop
— MP-BGP advertises only one label for
each vpnv4 prefix.
(config-bgp-address-family-vpnv4)#
neighbor x send-community both
both: standard + extended communities
60. BGP vpn4 Route Reflectors
— RR reflects vpnv4 prefixes to RR-Clients.
— RR does not see theVRFs but RDs:
# show ip bgp vpnv4 rd route-distinguisher
— RR accepts and stores all BGP routes.
— PE tends to save memory so it rejects vpnv4
prefixes in the BGP table if noVRF is importing
those routes.
— We can divide the prefixes across RRs by RR-
Group feature:
(config-bgp-address-family-vpnv4)# bgp rr-group 1
(config)# ip extcommunity-list 1 permit rt 1:3
(config)# ip extcommunity-list 1 deny rt 1:4
61. BGP Multipath
— BGP selects only one best path by default.
— BGP Mutlipath
◦ installation of 2 or more external bgp paths
— iBGP Multipath
◦ installation of 2 or more internal bgp paths
— eiBGP Multipath
◦ installation of 2 or more external and internal
best paths for the same prefix.
62. BGP Multipath (cont.)
— Following attributes must be identical:
◦ Weight
◦ Local Preference
◦ AS-Path
◦ Origin
◦ MED
◦ Neighbor AS or Sub-AS for (eBGP) and AS-
Path (for eiBGP)
◦ IGP metric to the BGP next hop
63. VPN Multipath
— When RD is different and you want to import
routes to a newVRF (with different RD) you have
to use import keyword.
(config-bgp-address-family-ipv4)# maximum-path ibgp 2 import 2
RIB 1> Import > RIB 2 > Max-paths > Routing Table
— bgp scan-time import n-seconds
◦ Runs every 15 seconds by default
— bgp scan-time n-seconds
◦ Runs by default every 60 sec for next-hop reachability,
conditional advertisement, route dampening, etc.
64. VPN Multipath with RR
— In case of RR, RR selects the best path and
advertise only one path based on their
decision (BGP best path selection)
— The workaround is to advertise parallel
paths from different PEs with different RDs
so that RR advertises all paths.
— RR will advertise all parallel paths with
different RDs (as they are not same) and
ingress PE can run BGP multipath and use all
parallel paths.
65. PE-CE Routing
— Different routing protocols can be used
between PE and CE:
◦ Static Routes
◦ RIPv2
◦ EIGRP
◦ OSPF
◦ BGP
— It's a best practice to redistribute connected
routes on the PE into BGP. (because users
generate ping from CE interface to test)
(config-router)# redistribute connected
66. PE-CE RIP
— RIPVersion 2 is only supported for PE-CE
routing. (RIP 1 is not supported)
— Make sure "default-metric" is configured.
Otherwise, there would be no route
redistribution from BGP to RIP.
67. PE-CE EIGRP
— BGP delivers additional information with 6 extended
communities for EIGRP (Flags,Tags,AS, Delay, BW,
MTU, Hop count and so on)
— Cost of EIGRP routes are re-constructed at remote
MPLS sites by the metric components.
— Cost of traversing the MPLSVPN backbone is 0 for
EIGRP routes.
— EIGRP does not need a “down bit” as OSPF does,
because the metric of received routes is compared at
each node.
— We can configure autonomous-system ID inside the
EIGRPVRF address-family.
(config-eigrp-address-family-ipv4)# autonomous-system x
68. PE-CE EIGRP POI
— Pre-Best Path POI (Point of Insertion) has been
introduced in the BGP Cost Community feature
to support mixed EIGRPVPN network topologies
that containVPN and back door links.
— POI is applied when EIGRP is redistributed into
BGP
— There’s no configuration required. (default since
IOS 12.0S)
— POI is a mechanism to override BGP best path
selection process and indicates to consider the
cost community (a non-transitive community)
before any regular BGP path comparison.
69. Cost Community
— POI can assign a preference to a specific
path when multiple equal cost paths are
available (once BGP receives the update)
route-map poi permit 10
set extcommunity cost 1 1
match ip address acl
70. Site of Origin
— SSO helps to speed up the convergence time
when a backdoor link exist.
— SSO is an extended community attached to
routes that shows the site of origination.
(config-if)# ip vrf sitemap
— Without SSO, a count-to-infinity might
happen (EIGRP default max hop count is 100
metric maximum-hop x)
— The disadvantage of using SSO is that if the
site is split, one part of site can not use
backdoor or MPLS to connect to other part
of the same site.
71. PE-CE OSPF
— OSPF redistribution down side is that all
OSPF routes become external route,
therefore less preferable than backdoor links
(if any)
— Solution is configuring a special link called
"Sham link" making MPLSVPN a super-
backbone.
— Unlike RIP and EIGRP, OSPF uses a separate
process perVRF:
(config)# router ospf x vrf y
72. OSPF BGP Redistribution
— BGP into OSPF use "subnet" keyword
with redistribute command. Otherwise,
only Classful routes are redistributed.
— OSPF into BGP use appropriate match
parameters:
(config-router)# redistribute ospf 1 vrf C1 metric 10
match internal external 1 external 2
— OSPF uses BGP MED to deliver cost.
Cost => MED => Cost (redistribution)
73. OSPF BGP Communities
— BGP Extended Communities for OSPF:
◦ Route Type (LSA Type)
◦ Metric Type (0=E1, 1=E2)
◦ Area Number
◦ OSPF RID
◦ Domain ID
– Domain ID is equal to process ID (by default)
– If Domain ID does not match between PE LSRs,
routes will be considered as external.
(config-router)# domain-id 0.0.0.69
74. OSPF Sham Link
— Flooding can occur across MPLSVPN
backbone using a sham link
— Sham link is a virtual link between PE LSRs.
— Sham link is an unnumbered point-to-point
intra-area link that is treated as a demand-
circuit. (LSA Flooding no periodic refresh)
— LSAs are flooded and do not have to be
converted to type 3 or 5. (preserves LSA
type)
75. OSPF Sham Link (cont.)
— Sham link endpoint IP must be from
customerVRF and not advertised into
OSPF.
— Sham link IP can be a loopback advertised
by iBGP inside customerVRF and not
reachable through OSPF. (Otherwise it
flaps because of having better AD)
(config-router)# area x sham-link source-address
destination-address cost y
76. OSPF Down Bit
— Down bit is an option bit in LSA type 3 to
avoid a possible routing loops when there
are multiple ABRs.
— In a multi-homed site, when PE1 sends LSA3
to Area (CE) it reaches to PE2. PE2 checks
the Down bit so will not inject it to back to
the backbone.
— When we run OSPF in aVRF, Cisco drops
the routes with Down-bit set, in a CE with
VRF-lite it makes problem with received
routes.
77. OSPFVRF-Lite Capability
(config-router)# capability vrf-lite
— Disables several checks including: LSA 3
DN bit andVPN-tag checking.
— Another way to eliminate Down-bit
verification is to use "domain-id null"
— Changing the domain-id on one side lets
routes to appear as external (LSA5) and
pass the down-bit LSA 3 verification!
78. OSPF Domain Tag
— Domain Tag is same as Down-bit but it's
used by LSA type 5.
— Is also called as “VPN route tag”
— domain tag is set to a value determined in
RFC 1745. (by default)
(config-router)# domain-tag 5
79. PE-CE ISIS
— Like OSPF, ISIS has its own process ID per
VRF, ISIS database and routing table.
(config-router)# vrf x
# show isis x neighbors
# show isis x database
# show clns x protocol
80. ISIS Up/Down bit
— Just like OSPF Down-bit
— Up/Down bit is set by PE routers
automatically upon route distribution.
— Up/down bit performs routing loop
prevention when an ISIS site is dual-
homed.
81. PE-CE BGP
— One of the easiest PE-CE protocols
— With default behavior of BGP, each
customer site must a have different AS
number.
— BGP drops updates due to see its own
ASN in AS-Path, as a loop prevention
method.
◦ Allow AS-in permits same AS to be seen in
the AS Path.
82. BGP AS-Override
— AS Override is set at PE to change ASN.
— It's advisable to use SOO feature when
deploying AS-override.
(config-bgp-address-family-ipv4)#
neighbor address as-override
— AS Override replaces CE ASN with PE
ASN while "allowas-in" method ignores
own AS in AS Path.
83. BGP Allow AS-In
— Allow AS-In permits multiple occurrences
of same ASN in AS-path - 1 to 10 times!
— allowas-in can be used by CE, to ignore
the ASN of other CE site, or can be used
by PE to ignore PE-ASN in a hub and
spoke scenario.
(config-bgp-address-family-ipv4)#
neighbor address allowas-in
84. Hub-and-SpokeVPN
— Sometimes, customer does not want spoke
to spoke communication or route leakage.
— We can use two different RT, one for import
and another for export at spoke sites and
reverse at Hub site.
— It’s better to have different RD, a vpnv4
might be selected as best path that does not
have the RT that you want..
— Also having different RD prevents two
spokes connected to same PE, to talk to
each other.
85. BGP SOO
— Site of Origin is a BGP extended
community that prevents suboptimal
routes and loops when a backdoor is
present.
— If SOO is applied for BGP, the route map
is configured on the neighbor command.
— If SOO is applied for any IGP, route map is
configured with "ip vrf sitemap" on the
appropriateVRF interface
86. BGP SOO (cont.)
(config)# route-map sso1 permit 10
(config-route-map)# set extcommunity soo 1:100
(config-bgp-af-ipv4)# neighbor address route-map soo1 in
or
(config-if)# ip vrf sitemap soo1
or
(config-bgp-af-ipv4)# redistribute static route-map soo1
or
(config-bgp-af-ipv4)# network x mask y route-map set
soo1
87. VPN Internet
— Internet Access insideVPN different
methods:
1. OneVRF for internet routes.
2. Importing internet routes directly into
customerVRF
3. Having a different interface or sub-interface
or virtual interface for internet.
4. Internet through static route
5. Internet access through a CentralVRF Site.
88. VPN Internet (cont.)
1. OneVRF for internet routes.
◦ Customers can not have their own address
space (addresses must be unique)
2. Importing internet routes into customer
VRF
◦ Huge number of replicated internet routes
at each PE!
89. VPN Internet (cont.)
3. Having a different interface or sub-
interface or virtual interface for
internet.
◦ use another interface in global routing for
customer.
◦ use tagging (802.1q) and segregate internet
andVPN traffic.
◦ use a GRE tunnel for the internet traffic.
90. VPN Internet (cont.)
— GRE tunnel internet access example on
PE:
interface tunnel1
tunnel source pe-vrf-address
tunnel destination ce-vrf-address
tunnel vrf customer1
instead of "ip vrf forwarding“
connect global routing to vrf at CE
ip route x.x.x.x/x tunnel1
(public address range of customer)
91. VPN Internet (cont.)
4. Internet through static route (global
keyword on the default route inside vrf)
(config)# ip route vrf C1 0.0.0.0 0.0.0.0 10.x.x.x global
(config)# ip route x.x.x.x/x ethernet0/1 y.y.y.y
to route public address range back to CE
(config-bgp)# redistribute static
for Internet gateway to be aware of public address
range of client
◦ NAT is also applicable (VRF-aware)
92. VPN Internet (cont.)
5. Internet access through a Central Site
◦ Customer can share internet through a hub
site and advertise that to spokes.
93. Multi-VRF CE
— AKA.VRF Lite puts eachVLAN or sub-
interface into aVRF.
— does not need MPLSVPN, MP-BGP and
LDP labeling features.
— If OSPF is used the "capability vrf-lite" is
required under OSPFVRF process.
◦ It disables Down-bit check and domain-tag
check which would discard OSPF routes.
94. CE ManagementVRF
— If the provider owns the CE device, they
must be able to manage it from central
managementVRF.
— It is possible to match CE router IP with a
route-map and set an extended community
RT then import intoVRF management at the
other side.
(config-vrf)# export map management
(config)# route-map management permit 10
(config-route-map)# match ip address prefix-list x/32
(config-route-map)# set extcommunity rt 1:100
95. MPLS TE Intro.
— With IP routing and playing with metrics,
it is impossible to adjust the cost of each
link to balance the link usage equally.
— It's the head end LSR of the LSP that can
determine the routing path.
— Head end must know the bandwidth and
other attributes of links to decide.
— The routing protocol between head and
tail end has to be a link-state protocol.
96. MPLS TE Intro. (cont.)
— a TE tunnel is unidirectional (LSP is
unidirectional in nature)
— TE tunnel configuration happens on the
headend.
— TE tunnel must be signaled whereas a
GRE tunnel does need signalling.
— You cannot use a TE tunnel to route
other TE tunnel LSPs inside.
◦ “mpls traffic-eng tunnels” command inside the
tunnel interface is pointless
97. TE Requirements
— Link Constraints (how much traffic each
link can support for TE)
— TE-enabled link state protocol.
— Path Calculation – PCALC.
— A Signaling protocol – RSVP.
— A way to forward traffic onto the TE
tunnel.
98. TE Shortest Path
— PCALC or constrained SPF (CSPF)
calculates the shortest path based on all
attributes (constraints e.g. bandwidth) on
the Head end.
— Intermediate LSRs learn the label by
signaling protocol - RSVP-TE (CR-LDP is
not implemented by Cisco)
— TE tunnels use Downstream-on-Demand
(DoD) label distribution.
99. RSVP-TE
— Extensions were made to RSVP to carry the label
◦ Explicit Route Object (ERO)
◦ Record Route Object (RRO)
— RSVP Messages:
◦ RSVP PATH
– Head end to tail end requests a label. with ERO detailing the
hops that message must follow.
◦ RSVP RESV
– Tail end sends the label along the path and each intermediate
LSR, forwards it back to head end.
— Signaling protocol makes sure the bandwidth is
reserved at each hop.
100. TE IGP Requirements
— TE Metric
◦ Separate cost for TE operation than the IGP
metric
— Maximum BW
◦ (config-if)# bandwidth x
— Max Reserve-able BW
◦ (config-if)#ip rsvp bandwidth x
— Unreserved BW
◦ bandwidth available to reserve
— Administrative group
◦ 32bit field
101. OSPF TE Extensions
— OSPF extensions for TE
◦ O-bit added to OSPF options field shows
whether a router is Opaque capable.
— Opaque LSA type 9
◦ Link local flooding scope
— Opaque LSA type 10
◦ Intra-area flooding scope - Used by TE in all
situations and carries one or more TLV.
— Opaque LSA type 11
◦ Inter-area flooding scope
102. OSPF TE Configuration
— Sample:
(config)# mpls traffic-eng tunnels
(config-if)# mpls traffic-eng tunnels
(config)# router ospf x
(config-router)# mpls traffic-eng router-id lo0
(config-router)# mpls traffic-eng area 0
# show ip ospf database opaque-area
max-resv bw is in kilobytes not bits.
103. ISIS TE Extensions
— TLV22 is added with numerous sub-TLVs
to deliver the link attributes.
— Sample configuration:
(config)# router isis x
(config-router)# metric-style wide
(config-router)# mpls traffic-eng level-2
(config-router)# mpls traffic-eng router-id lo0
104. IGP Flooding
— OSPF periodic floods every 30 minutes
(config-router)# timers pacing lsa-group seconds
— ISIS periodic flooding = every 15 minutes
(config-router)# lsp-refresh-interval seconds
— TE information floods every 3 minutes
(config)# mpls traffic-eng link-management timers
periodic-flooding 0-3600 seconds
105. TE BW movement
— TE has a down-movement bandwidth
change (less bw) and up movement (more
reserved bandwidth) trigger thresholds.
— TE updates triggers when a tunnel fails to
establish, and it does not wait for flooding
timer/threshold.
106. TE BW Movement (cont.)
— Default triggers for up:
◦ 15,30,45,60,75,80,85,90,95,97,98,99 and 100
— Default triggers for down:
◦ 100,99,98,97,95,90,85,80,75,60,45,30 and 15.
— Triggers are configured as percent of
bandwidth change
(config-if)# mpls traffic-eng flooding thresholds down x
(config-if)# mpls traffic-eng flooding thresholds up x
107. TE Link Attributes
— Attributes Flag
◦ Sets link attribute for administration purposes
for each link = 32 bits
(config-if)# mpls traffic-eng attribute-flag 0x0000FFFF
◦ On the head-end affinity bits must match with
the links attributes for the tunnel to set up.
(tunnel-if)# tunnel mpls traffic-eng affinity 0xn mask
108. TE Link Attributes (cont.)
— Shared Risk Link Group (SRLG)
◦ is used by backup tunnels in "FRR" - indicating
whether links are using same fiber, conduit,
etc.
— Max Reserve-able bandwidth
◦ This sub-pool is a fraction of global pool
bandwidth which can be used by DiffServ-
aware TE.
109. TE Link Attributes – TE Metric
— TE Metric
◦ By default IGP cost = TE metric (if not
specified)
◦ Metric Type:TE (default) AKA. Dual TE metric
(tunnel-if)# tunnel mpls traffic-eng path-selection metric
[te | igp]
(config-if)# mpls traffic-eng administrative-weight x
111. TE Tunnel Attributes (cont.)
— Tunnel Destination = RID of Tail-end
— Bandwidth = Desired BW
(config-if)# tunnel mpls traffic-eng bandwidth [sub-pool
| global]
— Affinity
◦ Properties that tunnel requires in its links (as attributes)
◦ 0x0 to 0xFFFFFFFF (32 bits)
112. TE Tunnel Attributes – Path Options
— Path Options
◦ Preference number: 1 to 1000 (lower=better)
◦ Only if Path is not available, next path is tried.
◦ Dynamic Path: PCALC takes care of it
tunnel mpls traffic-eng path-option 1 explicit name test
tunnel mpls traffic-eng path-option 2 dynamic
!
ip explicit-path name test enable
next-addres w.x.y.z
exclude-address a.b.c.d
113. TE Tunnel Attributes - Priority
— Setup and Holding Priorities
◦ If setup priority of a new tunnel is better
(lower) than holding priority of existing
tunnel, preemption occurs.
◦ The lower priority = higher importance
◦ Setup priority can’t be lower than holding
priority. (Default=7-7)
tunnel mpls traffic-eng priority 0 0
114. TE Tunnel Attributes Re-Optimization
— Re-Optimization
◦ Re-routing and PCALC re-calculation
◦ Periodic re-optimization: 1 hour by default
– By configuring “lock-down” in path-option to
disable
(config)# mpls traffic-eng reoptimize timer frequency x
◦ Event-Driven
(config)# mpls traffic-eng reoptimize event link-up
◦ Manual
# mpls traffic-eng reoptimize
115. RSVP Lables
— To preserve EXP on PHP use (hidden
command):
(config)# mpls traffic-eng signalling interpret explicit-null
verbatim
— RSVP shared explicit style is to ensure
make-before-break. (LSP is built before
old LSP is torn down.)
# debug ip rsvp dump-messages
116. TE Link Manager
— Software code that performs link
admission control. (Keeping track of
reserved bandwidth per link)
— Checks tunnel priorities for preemption.
— RSVP is a control plane protocol and
does not provide QOS on interface level.
# debug mpls traffic-eng link-management
# show mpls traffic-eng link-management
118. Forwarding Traffic onto TE (cont.)
— Autoroute Announce
◦ Tunnel as next hop in the routing table.
— Forwarding Adjacency
◦ IGP sees tunnel path as a link and advertise
that link as connected.
(config-if)# tunnel mpls traffic-eng forwarding-adjacency
— CBTS
◦ Map EXP from to a particular tunnel.
(config-if)# tunnel mpls traffic-eng exp n
119. TE Cost
— Shortest Unconstrained Path
◦ When auto-route is announced, cost of TE
tunnel = cost of path (total metric of lowest
path even if its not current tunnel path)
◦ Tunnel is always preferred for tail-end
connected interfaces. Can load balance TE and
IPv4 for equal path prefixes behind tail-end.
tunnel mpls traffic-eng autoroute metric absolute x
tunnel mpls traffic-eng autoroute metric relative -10
(-10 to +10 offset)
120. TE Load-Balancing
— Unequal load-balancing is possible, as CEF
has 16 hash buckets.
— Load-balancing the traffic is weighted
proportionally to the bandwidth
requirement of TE.
— Example:Tunnel1 provides 80 and Tunnel2
provides 20Mbps, the load-balancing ratio
will be 4:1.
121. TE in MPLSVPN
— PE to PE – TE Tunnel
◦ LDP is not required on the TE tunnel.
◦ If TE is enabled end-to-end, LDP is not
required at all as RSVP provides additional
label on top ofVPN label.
◦ TE Next hop Label = Tail-end PE label.
122. TE in MPLSVPN (cont.)
— PE to P – TE Tunnel
◦ LDP is required.
◦ It’s a three label scenario.
◦ Targeted LDP also does the job.
(tunnel-if)# mpls ip
123. TE in MPLSVPN (cont.)
— PE toVRF – TE Tunnel
◦ We can use a separate Tunnel perVRF:
(vrf1)# bgp next-hop loopback1
124. Fast Re-Route
— FRR provides Link and Node protection.
— FRR tunnels are built in advance and are
as close as possible to the point of
(possible) failure to protect.
— PLR = Point of Local Repair is a router
that performs recovery.
125. FRR – Link Protection
— AKA. Facility Backup because a complete
link is backed up.
◦ The backup tunnel is called “NHOP” next hop
bypass tunnel from PLR to merge-point LSR.
◦ “autoroute announce” should not be
configured as this tunnel is backup not main!
◦ Backup tunnel protects an interface:
(tunnel1-if)# tunnel mpls traffic-eng fast-reroute
(config-if)# mpls traffic-eng backup-path tunnel1
# show mpls traffic-eng fast-reroute database detail
126. FRR – Node Protection
— Node protection works by creating a
next-next-hop (NHHOP) backup tunnel.
— We have to exclude that node in the path
options of backup tunnel!
tunnel mpls traffic-eng fast-reroute node-protect
128. IP Precedence
— TOS Bits (3 bits)
◦ 000 Routine
◦ 001 Priority
◦ 010 Immediate
◦ 011 Flash
◦ 100 Flash Override
◦ 101 Critical / ECP
◦ 110 Internetwork Control
◦ 111 Network Control
129. Differentiated Service Code Point
— DSCP or DiffServ
◦ Expedited Forwarding
– Low latency, Low Jitter, Low Loss,Assured
Bandwidth
◦ Assured Forwarding
– Four classes with three drop precedence
130. MPLS DiffServ
— E-LSP
◦ Supported by Cisco
◦ 3 bits of EXP (like IPP bits) to schedule and
drop precedence.
— L-LSP
◦ Not supported by Cisco
◦ Uses an extra label to hold QoS information
and uses EXP for drop precedence.
◦ 1 Label per Class.
131. Default MPLS QOS Behavior
— In short, Cisco IOS does not change QOS
information in the path.
— During Imposition:
◦ Copy TOS bits to EXP (TOS Reflection) when
adding one or more labels by ingress LSR.
— Swap time:
◦ Copy EXP from old label to new label.
— Disposition:
◦ Does not copy EXP from label to IP TOS.
132. DiffServ Tunneling Model
— Defined in RFC3270.
— DiffServ model does not require a
signaling protocol such as RSVP.
— Pipe Mode
— Short Pipe Mode
— Uniform Mode
133. Pipe Mode
— Egress LSR performs forwarding /
discarding / scheduling based on EXP bits.
— P LSR should use Explicit null label
(instead of default Implicit null) to carry
EXP down to egress LSR or use “qos-
group” to set EXP on the label under.
— Because Egress LSR looks at EXP field to
perform QOS.
134. Short Pipe Mode
— The Pipe and Short Pipe models are almost
the same:They do not change IP ToS of
customers data at all.They might change the
EXP field in the path (EXP of MPLS Label)
but the IP TOS field remains unchanged.
— The Pipe model performs forwarding /
discarding / scheduling based on EXP at the
egress LSR while the Short Pipe model does
that based on IP ToS. Because in the Short
pipe model there might be no label at all.
(PHP operation)
135. Uniform model
— In the Uniform model, the EXP and IP ToS
fields of a data packet will always show
the same thing.
— If the provider changes the EXP header,
that has to be copied later to the IP ToS
field at the egress point.
136. DiffServ Tunneling Comparison
Mode IP-to-Label Label-to-Label Label-to-IP
Pipe Mode By SP Copy -
Short Pipe Mode By SP Copy -
Uniform Mode Copy Copy Copy
137. MPLS QOS Configuration
(config-pmap-c)#set mpls experimental topmost x
inbound and outbound label-to-label
doesn't work inbound on ip-to-label
(config-pmap-c)#set mpls experimental imposition x
inbound only
(config-if)# mpls ip encapsulate explicit-null
requires mpls ip command
(config)#mpls ldp explicit-null
requests to receive packet with EXP (Label value 0)
138. MPLS QOS Configuration example
— Label to Label (on PHP) sets EXP 5 (if top is 5) while disposing top label
class-map match-all in1
match mpls experimental topmost 5
class-map match-all out1
match qos-group 5
!
policy-map in1
class in1
set qos-group mpls experimental topmost
policy-map out1
class out1
set mpls experimental topmost 5
!
interface Ethernet0/0
service-policy input in1
!
interface Ethernet0/1
service-policy output out1
139. MPLS QOS Configuration example
— Label to IP (on PE) sets precedence 5 (if top is 5) while popping label
class-map match-all in1
match mpls experimental topmost 5
class-map match-all out1
match qos-group 5
!
policy-map in1
class in1
set qos-group mpls experimental topmost
policy-map out1
class out1
set ip precedence 5
!
interface Ethernet0/0
service-policy input in1
!
interface Ethernet0/1
service-policy output out1
140. ATOM
— Any Transport over MPLS or ATOM = L2VPN
— AToM is the cisco name for L2 Transport and is
point to point.
— The intelligence to support AToM sits entirely on
the PE routers.
— L2TPv3 is the L2 transport service over an IP
network (protocol type 115), while ATOM is an
MPLS solution.
— IETF has specified pseudo-wire emulation edge-
to-edge reference model in several RFCs, draft-
martini-l2circuit-trans-mpls-07.txt
141. ATOM (cont.)
— Martini draft was named after a former
Cisco employee Luca Martini. It uses LDP as
signaling.The tradeoff was auto-discovery.
— Kompella (juniper) draft uses BGP for both
signaling and auto-discovery to establish
fully-meshed pseudo-wires (multipoint)
— draft-martini and draft-kompella terms are
used for the two different L2VPN services
technologies (LDP vs. BGP for signaling)
— draft-kompella is obsolete and has not
standardized.
142. ATOM Labels
— PSN tunnel can be IP or MPLS.
— Attachment circuits are connected to PEs
inside the PSN tunnel.
— The AC can be ATM, FR, HDLC, PPP, etc.
— PE uses a label to identify pseudo-wires. It
is calledVC or PW label.
— AToM =VC Label transported into a
transport label.
— The TTL ofVC label is 2.
143. ATOM LSP
— LSP is unidirectional.Therefore for a PW to
setup, two LSPs must exist between a pair of
PE LSRs. (Targeted LDP)
— VC label is advertised by a Label mapping
(LDP TLV extension) message using the
Downstream unsolicited advertisement
mode.
— If the MTU does not matched between
sides, the pseudowire is not signaled.
— If the AC goes down, the PE signals it by
sending a Label Withdraw message to
remote PE.
144. ATOM Control Word
— If the C-bit is set, it indicates the presence of
the control word.
— The Control word is a 32 bit field that is
inserted betweenVC label and L2
transported label and is required for some
L2 PDUs.
— L2 Protocol control field, sequence number,
compressed format and so on are delivered
by the control word.
— Because MPLS Label has no length field,
padding occurs because the control word
has a fixed size.
145. ATOM MTU
— ATOM MTU can be estimated by:
◦ 4 + 4 bytes for two Labels + 4 bytes control
word + encapsulated L2 header + L3 data
encapsulated (e.g. IP 1500 byte)
— Avoid fragmentation by carefully selecting
MTU and MPLS MTU values in the
backbone.
— MTU in backbone should be at least 1530
bytes or MTU path discovery be enabled.
146. ATOM Sequencing
— Out of sequence packets are detected
and dropped.
— in Cisco IOS sequencing is disabled by
default and can be enabled by:
◦ "sequencing both" transmit and receive.
147. Pseudowire Class
— Pseudowire class is required for certain
characteristics:
◦ Interworking
◦ Preferred-path (TE Tunnel)
◦ Sequencing (frame order)
◦ Encapsulation type (AToM, L2TPv3)
148. ATOM Sample Configuration
(config)# pseudowire-class C1
(config-pw-class)# encapsulation mpls
(config-if)# xconnect 1.1.1.1 1 pw-class C1
Or
(config-if)# xconnect x.x.x.x vcid encapsulation mpls
# sh mpls l2transport vc
# sh mpls l2transport vc detail
to see local and remote labels
# sh mpls l2transport hw-capability interface serial 3/7
AToM feature support per encapsulation type
149. ATOM – PPP AC
— AToM PPP payload is only the PPP frame.
— Egress PE routers add flags, address,
control field and FCS before sending the
frame to CE.
— Like-to-like functionality:When AC on
both side of MPLS are the same
encapsulation type.
— If there’s no like-to-like AC, then
Interworking is required.
150. ATOM Frame-Relay DLCI-to-DLCI
— Flexible Method.
— EachVC can be tunneled to different PE.
— FECN, BECN, DE, C/R are copied into the
control word as F,B,D & C bits.
— LMI messages (local management interface)
are not transported across the MPLS.
— After the control word an additional ether-
type header is included in the payload.
(0x0800=IP) This field is called NLPID in
IETF encapsulation.
151. ATOM Frame-Relay Port-to-Port
— Port-to-Port = Port Trunking
— The whole trunk ofVCs over one
pseudowire.
— LMI messages are transported and appear
as HDLC frames to the PE routers.
— AToM control word cannot hold control
bits, they are all 0.
152. ATOM ATM – AAL5
— ATM cells are used to transport larger
frames.
(config-if)# pvc 10/100 l2transport
(config-if-pvc)# encapsulation aal5
(config-if-pvc)# xconnect x.x.x.x 1000 pw-class C1
153. ATOM ATM Cell Relay
— Individual ATM cell is transmitted over the
MPLS network or multiple cells are packed.
— Single Cell Relay
— Overhead =
◦ 8 Bytes (2x Labels) + 4 Bytes ATM header = 12
bytes
(config-if)# pvc 10/100 l2transport
(config-if-atm-l2trans-pvc)# encapsulation aal0
(config-if-atm-l2trans-pvc)# xconnect x.x.x.x 1000 pw-class C1
or configure in port mode, without PVC like a serial link
154. ATOM ATM Packed Cell Relay
— Multiple cells into one frame!
— There's a timer to pack cells and transmit,
there's a maximum of cells should be
packed.
(config-if)# atm mcpt-timers 200 300 400
timers to be used by PVCs
(config-if)# pvc 10/100 l2transport
(config-if-atm-l2trans-pvc)# encapsulation aal0
(config-if-atm-l2trans-pvc)# cell-packing 28 mcpt-timer 3
Max=28, use my third timer
(config-if-pvc)# xconnect x.x.x.x 1000 pw-class C1
155. ATOM Ethernet AC
— Two AC types for EoMPLS:
◦ Ethernet Port mode (VC type = 5)
Transparently forwards Ethernet with or
without 802.1q header
◦ EthernetVLAN mode (VC type = 4) PE
inspects theVLAN header. It can be
configured inside sub-interface or SVI.
156. ATOM Ethernet AC (cont.)
— Ethernet header =
◦ DA (6) SA (6) TPID (2 0x8100=802.1q) TCI (2
COS+CFI+12bitsVID) + EtherType (2) + Data +
FCS (4)
◦ TPID is Tag Protocol Identifier and TCI is Tag
Control Information.
◦ Preamble, Start of Frame Delimiter (SFD) and
FCS fields are stripped, adds a control word and
sends.
◦ VLAN ID Rewrite: is automatically enabled
feature that rewrites .1q tag ifVLAN ID is
different at both sides of AToM.
158. ATOM Ethernet Q-in-Q
— Dot1q Tunneling (QinQ) over AToM is
possible at PE
— Tunnel Label +VC Label + Control Word +
VLAN 800 +VLAN 1-50 + Ethernet Frame
— Configuration on PE requires double tagging:
(config-if)# switchport
(config-if)# switchport access vlan 800
(config-if)# switchport mode dot1qtunnel
(config-if)# spanning-tree bpdufilter enable
(config-vlan800)# mpls l2transport route x.x.x.x 800
159. ATOM Older Syntax
“mpls l2transport route x.x.x.x vcid”
is older form of
“xconnect x.x.x.x vcid encapsulation mpls”
Note:
— VCID has to be unique per pair of PE
LSRs.
160. ATOM Tunnel Selection
— AToM can use TE instead of default shortest
labeled path and fallback to the default path
when TE fails.
— Do not configure "autoroute announce"
because traffic uses that path.
(config)# pseudowire-class C1
(config-pw-class)# encapsulation mpls
(config-pw-class)# preferred-path interface tunnel1 [disable-
fallback]
!
# show mpls l2transport vc x detail
161. ATOM QOS
— You must set EXP in theVC label if you
want to preserve QoS information all the
way to the egress PE. (default implicit null)
— 802.1Q priority bits are copied into EXP
by default.
(config-if)# service-policy input set-EXP
162. ATOM Interworking
— L2VPN Interworking is an AToM feature
that allows different encapsulation type at
both sides of the AToM network.
— Interworking translates one L2
encapsulation to another one.
— Local Switching: allows PE LSR to switch
frames from one AC to another without
sending the frame to MPLS network.
163. VPLS
— Virtual Private LAN Service is like a virtual
switch interconnecting sites in a point-to-
multipoint fashion.
— MAC address learning and aging is emulated
in the virtual switch.
— VPLS requires a full mesh of PWs between
PE LSRs of eachVPLS instance. (full mesh
targeted LDP)
— Split-Horizon is on by default.
◦ PE performs split-horizon in L2 forwarding.A
flooded frame received on one PW will never be
forwarded to other PW.
164. VPLS (cont.)
— Aging time is refreshed after receiving a
frame.
— VFI =Virtual Forwarding Instance.
◦ Each customer connects to aVFI in IOS.
— VPN ID must be the same between the
neighbors.
166. VPLSVFI
— By default,VFI does not forward STP.
Therefore, STP tree stops at the metro
Ethernet site. (Split-horizon is there)
— It's possible to tunnel CDP, STP &VTP
protocols for CE using l2protocol-tunnel
on PE.
— We can create a trunk between PE and
CE to map eachVLAN (SVI) to one
separateVFI.
167. HierarchicalVPLS
— H-VPLS model consists of NPE and UPE.
— N-PE
◦ PE LSRs are not directly attached to
customer, becoming Network PE or N-PE.
— U-PE
◦ User facing PE are in the access layer
connecting user to N-PE.
CE > UPE > NPE >VPLS > NPE > UPE > CE
168. HierarchicalVPLS (cont.)
— H-VPLS can be configured with Dot1q
tunneling (QinQ) in the Access Layer.
— ProviderVLAN is mapped to oneVFI on
the N-PE.
— U-PE just put customer traffic inside a
ProviderVLAN with double tagging
169. HierarchicalVPLS (cont.)
— H-VPLS can be combined with MPLS.
— PW between U-PE and N-PE
— You need to disable default split-horizon
on N-PE to send packets from other N-
PE to U-PEs.
neighbor 1.1.1.1 encapsulation mpls no-split-horizon
mac-address-table limit vlan 22 max 5 action shutdown
Limiting Mac Addresses
170. Troubleshooting MPLS
— MPLS MTU is 1508 by default adding
room 8 bytes for 2 labels.
— It is advisable to use dedicated routers for
IP SLA (Shadow Routers)
— One Shadow router like a CE per POP to
measure POP to POP
171. Troubleshooting MPLS (cont.)
— mpls ip ttl-expiration pop 1
◦ pops one label from stack and sends time-
exceeded for troubleshooting path.
— no mpls ip propagate-ttl
◦ to hide provider network from CE trace
routes. (based on IOS release PE might show
up in trace result)
— no mpls ip propagate-ttl forward
◦ is better than the previous command, because
only PE will be able to trace route fromVRF
172. Troubleshooting MPLS (cont.)
— Debug using access-list (range 2700-2799
MPLS List)
(config)# access-list 2700 permit any 16 any any any
(S label - D label - EXP - EOS)
# debug mpls packet 2700
# show ip cef exact-route source-ip dest-ip
# show mpls forwarding-table label label exact-path
# ping mpls ipv4 x.x.x.x
LSPV (verification)
# traceroute mpls ipv4 x.x.x.x verbose
shows MRU
173. MPLS Useful Commands
— show mpls interfaces
— show mpls ldp discovery
— show mpls ldp neighbor
— show mpls forwarding table
— show mpls ip binding
— show ip bgp vpnv4 all summary
— show ip vrf interfaces
174. MPLSVerbatim Path
tunnel mpls traffic-eng path-option 1 explicit name path1
verbatim
— It is the ability to build TE LSPs to traverse
nodes that do not support IGP extensions
to TE, but RSVP extensions to TE.
— When enabled, the IP explicit path is not
checked against the TE topology database.
— Since the TE topology database is not
verified, a Path message with IP explicit path
information is routed using SPF for ip
routing.